Only show these results:

Revoking Access Tokens

The Nylas <ACCESS_TOKEN> never expires. If you want to stop using it, you'll have to revoke it. If you ever need to re-authenticate an account, you can have more than one access token for an account.

Even though a Nylas access token never expires, it's possible for them to become invalidated or de-authenticated.

Revoking Tokens

Since Nylas access tokens never expire, we recommend revoking former Nylas access tokens when you re-authenticate accounts. You can use the Account Management /revoke-all endpoint with the keep_access_token body parameter to ensure former access tokens are revoked. An example workflow is described below:

  1. Authenticate a Google account and get the initial <ACCESS_TOKEN>.
  2. The user changes their password and the account becomes invalidated. However, the initial Nylas <ACCESS_TOKEN> is still active.
  3. Re-authenticate the Google account and receive a new <ACCESS_TOKEN> for the account.
  4. Call the /revoke-all endpoint with keep_access_token=<ACCESS_TOKEN> using the new access token from Step 3.

Gmail Limitations

If you use the /revoke-all endpoint, and don't use the keep_access_token to keep at least one access token, the Gmail refresh_token is also revoked.